Smith College Information Security Risk Assessment Checklist



Similar documents
Back to My Mac User s Guide

Section 12 MUST BE COMPLETED BY: 4/22

Cyber Self Assessment

Course: Information Security Management in e-governance

SAO Remote Access POLICY

Stable and Secure Network Infrastructure Benchmarks

Congregation Data Security Education

Back to My Mac User s Guide

UIT Security is responsible for developing security best practices, promoting security awareness, coordinating security issues, and conducting

Policies and Procedures

Implementing an Effective Information Security Program in Your Agency

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

Identity Finder Quick Start Guide

Security Practices Essentials. Viruses McAfee Virus Software Critical Windows Updates Network Settings. Spyware Adaware Spybot Windows Defender

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Supplier Information Security Addendum for GE Restricted Data

Small Business IT Risk Assessment

INFORMATION SECURITY GUIDE. Employee Teleworking. Information Security Unit. Information Technology Services (ITS) July 2013

Client Security Risk Assessment Questionnaire

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

State of South Carolina Policy Guidance and Training

Data Stored on a Windows Computer Connected to a Network

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

PimaCountyCommunityCollegeDistrict Standard Practice Guide Administrative Procedure

Cyber Security Awareness

NETWORK INFRASTRUCTURE USE

HELPFUL TIPS: MOBILE DEVICE SECURITY

Best Practices for Information Security

Information Technology Security Procedures

NETWORK SECURITY GUIDELINES

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

MUSC Information Security Policy Compliance Checklist for System Owners Instructions

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Follow the instructions below for first-time users only

Cyber Security Awareness

Information Systems and Technology

Data Stored on a Windows Server Connected to a Network

Policy Title: HIPAA Access Control

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

NETWORK AND INTERNET SECURITY POLICY STATEMENT

Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Service Level Agreement. Desktop Support

University for the Creative Arts. Mobile Working and Remote Access Policy

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

A Guide to Information Technology Security in Trinity College Dublin

Vendor Assessment Worksheet:

Identity Finder Quick Start Guide for Windows

Remote Access and Mobile Working Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.1. Approval. Review By June 2012

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

2011 NATIONAL SMALL BUSINESS STUDY

Data Access Request Service

Rules of the Road for Users of Smithsonian Computers and Networks

Information Security Policy

Certified Secure Computer User

Xerox Mobile Print Cloud

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

BSHSI Security Awareness Training

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

HIPAA Security Alert

Information Security Policy Manual

IT Maintenance Checklist. Infrastructure

GETTING STARTED ON THE WINDOWS SERVICE A GUIDE FOR NEW STAFF MEMBERS

Information Security Policy for Associates and Contractors

Introduction. PCI DSS Overview

WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS

Best Practices for Protecting Laptop Data

University of San Francisco

LAW OFFICE SECURITY for Small Firms and Sole Practitioners. Prepared by Andrew Mason, Scott Phelps & Mason, Saskatoon Saskatchewan

2012 NCSA / Symantec. National Small Business Study

Countering and reducing ICT security risks 1. Physical and environmental risks

Massachusetts Identity Theft/ Data Security Regulations

Miami University. Payment Card Data Security Policy

ADM:49 DPS POLICY MANUAL Page 1 of 5

Supplier IT Security Guide

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

Using TS-ACCESS for Remote Desktop Access

PHI- Protected Health Information

University of Cincinnati Limited HIPAA Glossary

CUMC IT. Encryption Policy. Author: Carlo Cuttitta CUMC IT Columbia University Medical Center PH , 630 West 168th Street New York, NY 10032

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

[BRING YOUR OWN DEVICE POLICY]

Bring Your Own Device (BYOD) and Mobile Device Management. tekniqueit.com

How to Secure Your Environment

Payment Card Industry Self-Assessment Questionnaire

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

Bring Your Own Device (BYOD) and Mobile Device Management.

Xerox Mobile Print Cloud

Choose Your Own Device (CYOD) and Mobile Device Management. gsolutionz.com

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

CVM Computer Security Training

PCI DSS Requirements - Security Controls and Processes

Information Blue Valley Schools FEBRUARY 2015

Transcription:

Smith College Information Security Risk Assessment Checklist This form contains a checklist for individual data handlers who are conducting an information security risk assessment of their work environment. The checklist is intended to provide you with options to consider in assessing information security risks. You and your department are encouraged to change, add, or delete specific and/or general items in the checklist to make the assessment more relevant to the specific environment and needs of your job or workplace. Please review the results of your assessment with your supervisor or manager. The ultimate goal of this process is for departments to develop plans and action items that will reduce their risk, help them align their business practices with risk management and compliance needs, and assist in evaluating a potential security breach event. Name: Location: Date: YES NO In summary, does the hard drive of your computer contain any legallyprotected personal information* or other classified information? If YES, please provide the following information: Desktop computers -> Ethernet computer identifier: Laptop computers -> Ethernet computer identifier: -> Wireless computer identifier: For instructions on finding your computer identifier(s), see: http://www.smith.edu/tara/security/computerid.html

For each item on the following checklist, please enter one of the following: Y = Yes N = No IP = In progress NA = Not applicable Overall Location Assessment: For each location Has this location been inspected for the presence of both physical and electronic classified information? Is any PI* data stored in this location? If yes, is there a continuing business need to keep the information in this location? If yes, is the location locked or monitored during normal business hours? If yes, is the location locked and/or monitored during non-business hours? If yes, can only authorized personnel access the location? If yes, is classified information stored in a secured enclosure? If no, is there a plan to move the information to an appropriate location? Or, is there a plan to securely remove or destroy the information? Physical Information Assessment: For any location in which classified information is stored or processed on physical media (e.g., paper, index cards, computer printout, etc.) Are there guidelines in place that specify who is granted access to classified information in this location? Is the information stored securely when not in use? Is there physical PI* data in this location? If yes, are there clear guidelines on how it is stored and accessed? If yes, are there clear guidelines for who is allowed to see or have copies of this information?

Electronic Information Assessment: For each computer you use in your location, please provide the following information. Computer type (Windows, Mac, other): Computer identifier (e.g., IP address, MAC address, or network name): Has the hard drive (C: drive) of this computer been scanned for PI* data using Identity Finder? Have all external devices used with this computer, including hard drives, thumb drives, and backup media, been scanned for PI* data using Identity Finder? Have you scanned your personal network drive (H: drive) for PI* data using Identity Finder? Did you find any PI* data? If yes, has the PI* data been reviewed with the relevant Data Custodian? If yes, have you decided what action to perform on the PI* data (e.g., shred, encrypt, scrub, move, or leave in place)? If yes, have all remediation steps been completed? Is any other classified information processed or maintained on this computer? If yes, has the data been reviewed by the relevant data custodian or their representative? Are any remediation steps required to ensure that only needed data is maintained? Are there clear guidelines in place for the storage and handling of the data?

Computer Security: Security considerations for all computer systems, including office desktops and laptops, that contain or process PI* data or other classified information Does the computer require a password on startup and wake from sleep mode? Does the computer have an idle timer set and a screen saver with password protection? Are system updates and security patch checks performed automatically by the system? Does the system have up-to-date virus and malware detection (e.g., McAfee VirusScan) installed? Are computer access passwords shared among several users? If yes, are there specific authorized user access controls for classified information? Are all files or folders containing confidential information protected by encryption or by at least two levels of passwords (e.g., workstation and network passwords)? Does the system have internal firewalls enabled and configured? Does the computer have a cable lock or other physical security protection? Does the computer have electrical surge or UPS protection? Is the computer used for other purposes not related to classified information? Laptops and Other Portable Devices: Additional considerations for laptop systems and other portable devices that contain or process PI* data or other classified information Are all files or folders containing PI* information encrypted? Do you carry and use a cable lock when traveling? Does your laptop have a lost/stolen system retrieval service installed (eg. CompuTrace)? For handheld devices, can the device be remotely wiped if lost or stolen? Are all removable storage devices stored in a secure location? Is there a procedure for securely destroying classified information from external storage? Is information about the laptop or other device recorded and maintained outside the device itself? If a laptop or other device is lost or stolen, it is very helpful to have its serial number, computer identifier(s), operating system type, and a list of files and folders containing classified information

Data backups: Security considerations for backed-up data Is important information on local drives backed up at regular intervals? Are the backups and backup media encrypted or stored in a secure location? Is there a defined retention period for backup media? Is there a procedure for securely destroying classified information from backup storage? Please enter any other comments or questions below:

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information